Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

INSIGNON.EXE

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.776543952745954
Filename:	INSIGNON.EXE
Filesize:	1429504
MD5:	4eb9ce3332c6d41fc80ed09cfc939c38
SHA1:	3f129474c227f5b21595a11934401759065b29db
SHA256:	9fdc124fcf1a99c7af2bf8b8f799aaa310906c8940805b6149158355c5127459
SHA512:	c7f3680f2d71dfde171e636929c83937969302027dd021d452dc55aa1357d01cc3539b53a2ba2714bffdfe44c0455229937dd51d29866e30c4f8ec9b98d511d7
SSDEEP:	12288:L7/zHL6IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIuWC:H/0/5fRdz4uLhz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a...%.u.%.u.%.u...{.$.u.j.\|.1.u...x.$.u.Rich%.u.........................PE..L......e.....................P.......M............@

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Found GUI installer (many successful clicks)	System Summary

C:\Users\user\Desktop\ImcSys.log

ASCII text, with very long lines (728), with CRLF line terminators

dropped

Details

File:	C:\Users\user\Desktop\ImcSys.log
Category:	dropped
Dump:	ImcSys.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\INSIGNON.EXE
Type:	ASCII text, with very long lines (728), with CRLF line terminators
Entropy:	2.375314708306924
Encrypted:	false
Ssdeep:	24:FNnAJz9ONoiRHQ8QGQ+8QGQXzP7PQ9J6d:bnAZ9nihl0f0bsO
Size:	1866
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\INSIGNON.EXE

"C:\Users\user\Desktop\INSIGNON.EXE"

Details

Is windows:	false
Is dropped:	false
PID:	1164
Target ID:	0
Parent PID:	1028
Name:	INSIGNON.EXE
Path:	C:\Users\user\Desktop\INSIGNON.EXE
Commandline:	"C:\Users\user\Desktop\INSIGNON.EXE"
Size:	1429504
MD5:	4EB9CE3332C6D41FC80ED09CFC939C38
Time:	13:41:21
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1466368
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://Icons.Tritech.com/customericons

unknown

http://maps.google.com/mapfiles/kml

unknown

http://maps.google.com/mapfiles/ms/micons

unknown

Domains

Name

Malicious

fp2e7a.wpc.phicdn.net

192.229.211.108

Memdumps

Base Address

Regiontype

Protect

Malicious

2D6F000

stack

page read and write

2F6F000

stack

page read and write

55B000

unkown

page readonly

22BE000

stack

page read and write

738000

heap

page read and write

2C68000

heap

page read and write

723000

heap

page read and write

23A0000

trusted library allocation

page read and write

6DE000

heap

page read and write

6FB000

heap

page read and write

31AF000

stack

page read and write

710000

heap

page read and write

706000

heap

page read and write

2BE0000

heap

page read and write

32EF000

stack

page read and write

227E000

stack

page read and write

610000

heap

page read and write

2330000

heap

page read and write

650000

trusted library allocation

page execute read

619000

heap

page read and write

401000

unkown

page execute read

6D0000

heap

page read and write

6F0000

heap

page read and write

620000

heap

page read and write

2C60000

heap

page read and write

31EE000

stack

page read and write

644000

heap

page read and write

22FE000

stack

page read and write

737000

heap

page read and write

400000

unkown

page readonly

640000

heap

page read and write

556000

unkown

page read and write

2380000

heap

page read and write

70B000

heap

page read and write

19A000

stack

page read and write

5BE000

stack

page read and write

735000

heap

page read and write

99F000

stack

page read and write

710000

heap

page read and write

2AE0000

heap

page read and write

4980000

trusted library allocation

page read and write

670000

heap

page read and write

2E6F000

stack

page read and write

625000

heap

page read and write

55B000

unkown

page readonly

723000

heap

page read and write

6F0000

heap

page read and write

1F0000

heap

page read and write

718000

heap

page read and write

2390000

heap

page read and write

99000

stack

page read and write

723000

heap

page read and write

6FE000

heap

page read and write

615000

heap

page read and write

680000

heap

page read and write

2C2E000

stack

page read and write

739000

heap

page read and write

716000

heap

page read and write

570000

heap

page read and write

401000

unkown

page execute read

706000

heap

page read and write

723000

heap

page read and write

400000

unkown

page readonly

6DA000

heap

page read and write

A9F000

stack

page read and write

71A000

heap

page read and write

5FE000

stack

page read and write

There are 57 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
INSIGNON.EXE

Files

Processes

URLs

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportINSIGNON.EXE

Files

Processes

URLs

Domains

Memdumps

IOC Report
INSIGNON.EXE